Service protection

ABSTRACT

Tampering with pieces of software is inhibited. Service protection inhibits tampering by allowing various unauthorized services to execute. Profiles are stored in a central hierarchical database and such profiles are protected from tampering. The obfuscation of a software image so as to becloud the comprehension of hackers in reverse engineering pieces of software comprising the software image is provided.

CROSS-REFERENCES TO RELATED APPLICATIONS

This application (Attorney Docket No. MSFT-1-23928) is a continuation ofpatent applications titled “Inhibiting Software Tampering” (AttorneyDocket No. MSFT-1-23433); “Profile Protection” (Attorney Docket No.MSFT-1-23929); “Thread Protection” (Attorney Docket No. MSFT-1-23927);“Installation Setup” (Attorney Docket No. MSFT-1-23926); “SoftwareObfuscation” (Attorney Docket No. MSFT-1-23499); “Image Verification”(Attorney Docket No. MSFT-1-23931); “Hardware Protection” (AttorneyDocket No. MSFT-1-23932); and “Registry Protection” (Attorney Docket No.MSFT-1-23933), all filed concurrently herewith, and further claims thebenefit of U.S. Provisional Application No. 60/578,937, filed Jun. 12,2004, all of which are incorporated herein by reference.

FIELD OF THE INVENTION

The present invention relates generally to security, and moreparticularly, to inhibiting software tampering by preventingmodification by unauthorized individuals or unauthorized pieces ofsoftware.

BACKGROUND OF THE INVENTION

Software makes computing machines powerful. Such machines can correctthe irregular rhythm of a person's defective heart or let people reachfor the constellations of the heavens. Yet, software is vulnerable tosomething as simple as accidental mischief or intentional harm.Accidental mischief may innocently come from a child who somehow gainsaccess to his parents' personal computer, causing physical loss of dataor changing settings that are detrimental to the use of the computingmachine, among other examples. Intentional harm is typically instigatedby a “hacker,” which is a dysphemism for a person who uses computingexpertise for illicit ends, such as by causing malicious software toexecute on computing machines or directly gaining access to computingmachines without permission and tampering with programs and data.

Operating systems are software that controls the allocation and usage ofcomputing machine resources such as memory, central processing unit(CPU) time, disk space, and peripheral devices. The operating system isthe foundation software on which applications depend. Popular operatingsystems include Windows 98, Windows NT, Windows XP, Mac OS, UNIX, andLinux. Operating systems are sometimes packaged in a way that isappropriate for a particular market. For example, a powerful operatingsystem used for the small niche server market can be retrofitted by thesoftware manufacturer in various ways that are appropriate for noviceusers in the large general consumer market. One problem is that noviceusers may inadvertently modify the retrofitted operating system, therebycrippling it. The most pernicious problem of all, however, is thathackers can reverse engineer the retrofitted operating system so as totransform it for use for other illicit purposes to the detriment of thesoftware manufacturer. FIG. 1 illustrates this problem and otherproblems in greater detail.

A software image 108 represents a duplicate or copy of an operatingsystem containing instructions that make computer hardware work. Ahacker or his malicious software 102 can modify the software image 108or cause it to be easily replaced because the software image 108 istypically a file stored somewhere in the computer hardware. The nexttime users 110 invoke the software image to run system software, such asthe operating system, the modified or supplanted software image is runinstead of the original provided by the software manufacturer.

The tampering of the software image 108 is typically carried out byhackers or pieces of malicious software 102, but rarely by users 110.However, a registry 106 can be unintentionally tampered with by theusers 110, as well as by hackers or pieces of malicious software 102.The registry 106 is a piece of system software used to store informationthat can be employed to configure the system for one or more users,applications, and hardware devices. For example, the registry could beused to enable three dimensional rendering and hardware accelerationsupport for consumer computing machines while disabling those samefeatures for server computing machines.

These pieces of information can be changed when users 110 act withadministrative permission, or by hackers or pieces of malicious software102 that improperly obtain permission to modify the registry. Hackersand pieces of malicious software 102 can attempt to manipulate theregistry 106 to overcome licensing restrictions so as to changeinformation in the registry, registry settings, and unlock additionalfeatures that were not meant for a particular audience or marketingchannel. One issue is that modification of the registry may cause thecomputing machine to stop working or to exhibit unpredictable behaviors.

Another problem involves tampering with executing software 104. Hackers,or pieces of malicious software 102, can improperly jettison properlyexecuting software 104 and supplant it with unauthorized or prohibitedsoftware services. Moreover, hackers or pieces of malicious software 102can emulate software responses or software calls and tamper with therunning of the executing software 104.

Given the problems of software tampering, both by accidental mischief orintentional harm, it will come as no surprise that unscrupulous hackersand their malicious software can cause software to be vulnerable.Without a resolution to the problem of software tampering, users mayeventually no longer trust computer manufacturers to provide a securecomputing experience while preventing access by unauthorizedindividuals. Thus, there is a need for a system, method, andcomputer-readable medium for securing software while avoiding orreducing the above problems associated with existing systems.

SUMMARY OF THE INVENTION

In accordance with this invention, a system, method, andcomputer-readable medium for inhibiting software is provided. The methodform of the invention includes a method for inhibiting servicetampering. The method comprises upon start-up of a computing machine,invoking by a log-on module a protection function of an obfuscateddynamic-link library to create a thread that inhibits the execution ofunauthorized services. The method further comprises communicating withan obfuscated protection dynamic-link library to access an encryptedprotection profile relating to a list of unauthorized services.

In accordance with further aspects of this invention, acomputer-readable form of the invention includes a computer-readablemedium having computer-executable instructions stored thereon forimplementing a method of inhibiting service tampering. The methodcomprises upon start-up of a computing machine, invoking by a log-onmodule a protection function of an obfuscated dynamic-link library tocreate a thread that inhibits the execution of unauthorized services.The method further comprises communicating with an obfuscated protectiondynamic-link library to access an encrypted protection profile relatingto a list of unauthorized services.

In accordance with further aspects of this invention, acomputer-readable form of the invention includes a computer-readablemedium having computer-executable instructions for implementing a methodof inhibiting tampering of a piece of software running on a computingmachine. The method comprises invoking a protection function of anobfuscated protection dynamic-link library to inhibit the execution ofunauthorized services. The method further comprises invoking anotherprotection function of the obfuscated protection dynamic-link library toprotect keys and values of a central hierarchical database.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing aspects and many of the attendant advantages of thisinvention will become more readily appreciated as the same become betterunderstood by reference to the following detailed description, whentaken in conjunction with the accompanying drawings, wherein:

FIG. 1 is a block diagram illustrating a conventional system showingproblems of software tampering in computing machines by unauthorizedindividuals.

FIG. 2 is a block diagram illustrating exemplary software components forsetting up pieces of software to inhibit tampering.

FIG. 3A is a block diagram illustrating exemplary software componentsthat interoperate to inhibit software tampering.

FIG. 3B is a block diagram illustrating exemplary profiles stored eitherin a registry or a dynamic-link library and the extraction of profilesby the safe interoperation of pieces of software, in accordance with oneembodiment of the present invention.

FIGS. 4A-4Z are process diagrams illustrating a method for inhibitingsoftware tampering, according to one embodiment of the presentinvention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

It is a dichotomy of software that it is powerful but vulnerable.Various embodiments of the present invention inhibit tampering withpieces of software. One embodiment is the obfuscation of a softwareimage so as to becloud the comprehension of hackers in reverseengineering pieces of software comprising the software image. Anotherembodiment is verifying whether the pieces of software togetherconstitute a software package that requires protection from tampering.As yet another embodiment is determining whether the hardware resources,such as the central processing unit or the cache memory on a computingmachine, belong to a class for which inhibiting software tampering ispossible. A further embodiment includes checking whether certaincritical files on the computing machine have been tampered with. Anadditional embodiment includes determining whether the registry has beentampered with. Some other embodiments include determining whethersoftware services that are executing have been tampered with.

FIG. 2 illustrates a software component 200, which includes a productidentifier (PID) dynamic-link library 200A, setup software 200B, andsetup information file 200C. The setup software component 200 isresponsible for determining whether a piece of software for inhibitingtampering can be installed on a computer system. The piece of softwareincludes any suitable pieces of software, such as system software (anoperating system), application software, and network software. Theproduct identifier dynamic-link library 200A belongs to a class ofexecutable routines stored separately from files. These routines haveparticular extensions, such as “DLL,” and are loaded only when needed bya program. These dynamic-link libraries can suitably be found as afeature of the Microsoft Windows family of operating systems and OS/2. Adynamic-link library has several characteristics: first, it typicallydoes not consume any memory until it is used; second, because adynamic-link library is a separate file, a programmer can makecorrections or improvements to only that module without affecting theoperating of the calling program, or any other dynamic-link library; andfinally, a programmer can use the same dynamic-link library with otherprograms.

The setup information file 200C belongs to a class of files that istextually based and contains information used by a setup application,such as the setup software 200B, during an installation. Typically, thesetup information file 200C, among other setup information files (suchas a protection information file 202A), is created before the authoringof a setup application, such as the setup software 200B. Examples ofinformation that may be stored in an information file includes registrychanges, file names, and locations of the source files on source media.The setup information file 200C, as well as the protection informationfile 202A, can also contain private sections. These private sectionsdepend on the setup software 200B and can be used to store specializedinformation used by a specific setup application, such as the setupsoftware 200B, for installing pieces of software that inhibit softwaretampering.

The setup software 200B is a program whose function is to installanother program, such as system software, application software, ornetwork software, either on a storage medium or in memory. The setupsoftware 200B might be used to guide a user through the often complexprocess of setting up an application for a particular combination ofmachine, printer, monitor, and network. The product identifierdynamic-link library 200A creates a unique product identifier and storesthe created product identifier 204A in a registry 204, which isdiscussed hereinbelow. The setup information file 200C prepares aninstallation dynamic-link library 202B for the installation of a pieceof software that inhibits software tampering. An installation component202 comprises a protection information file 202A and the installationdynamic-link library 202B. The protection information file 202A containsvarious pieces of information, such as registry changes, file names, andlocations of the source files for the installation of pieces of softwarethat inhibit software tampering. Additionally, the protectioninformation file 202A includes information for the installation of asystem file 206B and various software components that are particular toa marketed software package.

Contained within a software component 202, the installation dynamic-linklibrary 202B installs the actual piece of software that inhibitssoftware tampering, such as the protection dynamic-link library 206A,that is specific to a particular market segment and may provide contentor language appropriate for that particular market segment. Theinstallation dynamic-link library 202B also sets an activation key 204Cso as to allow the piece of software that inhibits tampering as embodiedin the protection dynamic-link library 206A to quickly identify that theinstallation is a secured installation. Moreover, the installationdynamic-link library 202B also installs a number of encrypted protectionprofiles that contain information pertaining to the hardware and/orlanguage, among other things, and various system files 206B so as toallow it to determine whether something has been tampered with.

The runtime component 206 comprises the protection dynamic-link library206A, which embodies a piece of software that inhibits softwaretampering with system files 206B, which include help files, andmarket-specific content files, such as language.

A central hierarchical database 204 includes the product identifier204A, the activation key 204C, and the encrypted protection profiles204D. The central hierarchical database 204 is used to store informationnecessary to configure the systems for one or more users, applications,and hardware devices. The central hierarchical database 204 containsinformation that an operating system continually references duringoperation, such as profiles for each user, the applications installed onthe computer, and types of documents each can create; property sheetsettings for folders and application icons; what hardware exists on thesystem; and which ports are being used. The central hierarchicaldatabase 204, in addition, can be used, as mentioned above, to storepieces of information that aid in the inhibition of software tampering.One suitable piece of information includes checksums, which arecalculated values that are used to test data for tampering, such as whena hacker modifies a file. The checksum is preferably calculated for agiven chunk of data by sequentially combining all the bytes of data witha series of arithmetic or logical operations. During the time period inwhich software tampering is verified or validated, a new checksum can becalculated in the same way using the stored data. If the two checksumsdo not match, software tampering may have occurred, and suitable stepscan be taken to correct the tampering or shut down the computingmachine.

FIG. 3A illustrates the execution of a piece of software for inhibitingsoftware tampering as embodied by the protection dynamic-link library306A. Various elements of FIG. 3A are similar to various elements ofFIG. 2A, and for brevity purposes they will not be further discussed. Alog-on component 308 comprises a log-on module 308A, and at theinitiation of a computer system, the log-on module 380A attempts to loadthe protection dynamic-link library 306A depending on the productidentifier 304A. If the appropriate product identifier exists in thecentral hierarchical database 304, the protection dynamic-link library306A will be loaded by the log-on module 308A. The log-on module 308A ispreferably a piece of software that receives the user name and passwordand validates the information before allowing the user to access thesystem software on the computing machine.

The protection dynamic-link library 306A, during the execution of thesoftware of the computer system, verifies that various system files 306Bhave not been tampered with by reading various encrypted protectionprofiles 304D. In addition, the protection dynamic-link library 306Averifies various settings of keys and their associated values todetermine whether they have been tampered with. The protectiondynamic-link library 306A initially creates timers to check the registryas well as services that are authorized to run on the computer system.If the system has been tampered with, the protection dynamic-linklibrary 306A preferably attempts to fix the tampering or initiatesshutdown of the computing machine, among other suitable methods ofdealing with tampering.

For example, the protection dynamic-link library 306A monitors thecentral hierarchical database 304 and resets keys and their associatedvalues if there has been tampering. The protection dynamic-link library306A also checks critical files, such as various system files 306B,against the information contained in the encrypted protection profiles304D and the protection dynamic-link library 306A to determine whetherthere has been tampering. Moreover, the protection dynamic-link library306A checks to make sure that software services running on the computersystems are authorized and removes unauthorized software services.

FIG. 3B illustrates the encrypted protection profiles 304D, accessibleby pieces of software, such as the log-on module 308A. The log-on module308A communicates with the protection dynamic-link library 306B toaccess the encrypted protection profiles 304D. The interoperabilitybetween the log-on module 308A and the protection dynamic-link library306B is preferably by a suitable protocol acknowledging thatcommunication or the transfer of information can safely take placebetween pieces of software.

One suitable protocol includes the transmission of a random salt value,which can comprise a string of numeric, alphabetic, or alphanumericinformation, sent by the log-on module 308A to the protectiondynamic-link library 306B. The protection dynamic-link library 306Bpreferably has two keys, a public library key and a private library key.In encryption and digital signatures, these keys comprise a string ofbits used for encrypting and decrypting information to be transmitted orreceived. Encryption commonly relies on two different types of keys, apublic key known to more than one person, and a private key known onlyto one person.

The protection dynamic-link library 306B uses the private library key todecrypt a profile, such as profiles 312-316. Each profile is suitablyorganized as a data structure, known as a blob, which is an amorphousdata structure in which various pieces of information can be stored.Preferably, blobs of profiles 312-316 are encrypted using the privatelibrary key of the protection dynamic-link library 306B. The profile 312includes a blob 1, which has been encrypted by the private library keyof the protection dynamic-link library 306B. The blob 1 includes profiledata 1 312A, whose size and format depend on a profile type, such as ahardware profile or a language profile. Blob 1 also includes a signature1 312B, which contains a checksum of the profile data 1 312A, digitallysigned with the public library key of the protection dynamic-linklibrary 306B. Blob 1 also includes a verify blob 1 312C, which is achecksum of the identifier of the profile 312 and the profile data 1312A, digitally signed with a public calling key of the log-on module308A and also encrypted with a private calling key of the log-on module308A.

The profile 314 is organized as a blob 2 within which is contained averifier blob 2 314A, which is a checksum of an identifier of theprofile 314 and its data described by the profile data 2 314B, digitallysigned with the private calling key of the log-on module 308A and alsoencrypted with a private calling key of the log-on module 308A. The blob2 includes the profile data 2 314B, whose size and format depend on aprofile type, such as a hardware profile or a language profile. The blob2 also includes a signature 2 314C, which is a checksum of the profiledata 2 314B, digitally signed with the public library key of theprotection dynamic-link library 306B.

The profile 316 is organized as a blob 3. The blob 3 includes asignature 3 316A, which is a checksum of a profile data 3 316C,digitally signed with the public library key of the protectiondynamic-link library 306B. The blob 3 includes a verifier blob 3 316B,which is a checksum of an identifier of the profile 316 and its profiledata 3 316C, digitally signed with the public calling key of the log-onmodule 308A and also encrypted with the private calling key of thelog-on module 308A. The blob 3 includes the profile data 3 316C, whosesize and format depend on a profile type, such as a hardware profile ora language profile. Note that for each blobs 1-3 of profiles 312-316,various named organizations, such as profile data 1-3, signatures 1-3,and verifier blobs 1-3, are placed differently in each of blobs 1-3 orprofiles 312-316. These differing arrangements aid in the inhibition ofthe tampering of profile data contained within the registry 304. Headerscontaining placement information exist within the blobs 1-3 allowing adetermination where each of the named organizations reside within theblobs 1-3.

When the protection dynamic-link library 306B has found the desiredprofile by decrypting the profile or the blob using its private librarykey, it will return the profile to the log-on module 308A. Prior toreturning the data to the log-on module 308A, the protectiondynamic-link library 306B computes a checksum from the identifier andthe profile data of the found profile. The checksum includes the resultof comparing the profile and the random salt value that was originallytransmitted by the log-on module 308A. The salt value in essenceinhibits the ability of a hacker from simply emulating the protectiondynamic-link library 306A to return a false profile to the log-on module308A.

When the computation of the checksum has occurred, the protectiondynamic-link library 306B returns to the log-on module 308A a resultwhich is essentially a result data structure with various pieces ofinformation (e.g., success, failure, and flags detailing the success orfailure), a verifier blob in the found profile, and the calculatedchecksum computed from the identifier of the profile, its data, theresult, and the random salt value. The log-on module 308A verifies thereturned result from the protection dynamic-link library 306B. Thelog-on module 308A decrypts the verifier blob using its private callingkey to obtain the checksum of the identifier of the profile and the dataof the profile. In addition, the log-on module 308A verifies thesignature of the verifier blob by using its public calling key.Moreover, the log-on module 308A computes a checksum from the decryptedverifier blob checksum, the results of the DLL, and the random saltvalue passed originally to the protection dynamic-link library 306A. Thelog-on module 308A performs a test to determine whether the checksum ithas computed matches the checksum returned by the protectiondynamic-link library 306B. If the checksums do not match, the log-onmodule 308A concludes that the system has been tampered with.

FIGS. 4A-4Z illustrate a method 400 for inhibiting software tampering.For clarity purposes, the following description of the method 400 makesreferences to various elements illustrated in connection with softwarecomponents 200, 202, 204, and 206 of FIG. 2A; the log-on module 308A;and the protection dynamic-link library 306B of FIGS. 3A-3B. From astart block, the method 400 proceeds to a set of method steps 402,defined between a continuation terminal (“Terminal A”) and an exitterminal (“Terminal B”). The set of method steps 402 describes theobfuscation of pieces of software for inhibiting software tampering.

From Terminal A (FIG. 4C), the method 400 proceeds to block 414 wheresource code is created for a protection dynamic-link library, whichembodies pieces of software that inhibit software tampering. The sourcecode is compiled and linked to create the protection dynamic-linklibrary (DLL). See block 416. Next, at block 418, an obfuscation controlfile, which contains names of classes, methods, and fields, is created.The method 400 then proceeds to block 420 where an obfuscation processis executed using the protection DLL and the obfuscation control filesas input. An obfuscated DLL is produced in which names of classes,methods, fields, and control flows are obfuscated. See block 422. Theobfuscation process makes the protection dynamic-link library difficultto debug by a hacker who is attempting to reverse engineer theprotection dynamic-link library. One example of obfuscation is theinsertion of jump instructions into the protection dynamic-link libraryor the reordering of programming instructions.

The obfuscation process described above is one of many suitabletechniques that provides for the renaming of symbols in the assembly ofsoftware so as to foil decompilers that attempt to reverse engineersoftware for illicit purposes. The obfuscation process can increaseprotection against illicit decompilation while leaving the applicationintact. The goal of obfuscation is confusion, which taxes the minds ofhackers to comprehend multifaceted intellectual concepts of pieces ofsoftware. While the obfuscation process would not only confuse a humaninterpreter, who is a hacker, it would also likely break a decompiler,which depends on certainties of logic. An obfuscation process creates amyriad of decompilation possibilities, some of which lead to incorrectlogic, hence causing uncertainties in translation.

From Terminal A1 (FIG. 4D), the method 400 proceeds to block 426 wherethe method calculates a checksum of the obfuscated protection DLL. Acatalog file is then created. See block 428. One suitable implementationof the catalog file is a database. The catalog contains the name of eachsoftware component, its version, and its signature (e.g., checksums).Next, at block 430, the checksum of the obfuscated protection DLL isplaced into the catalog file. The method 400 then proceeds to block 432where the method calculates a checksum of the catalog file containingthe checksum of the obfuscated protection DLL. The checksum of thecatalog file is also encrypted using a private key. See block 434. Inother words, the catalog file is digitally signed by the private key. Atthis point, the method 400 produces the obfuscated protection DLL andthe catalog file that can be verified. Verification aids in ascertainingwhether the obfuscated protection DLL is coming from a known source,such as a particular software manufacturer, and that the obfuscatedprotection DLL has not been tampered with. The method 400 then continuesto the exit Terminal B.

From Terminal B (FIG. 4A), the method 400 proceeds to a set of methodsteps 404, defined between a continuation terminal (“Terminal C”) and anexit terminal (“Terminal D”). The set of method steps 404 describes thesetting up of the protection dynamic-link library, which embodies piecesof software for inhibiting software tampering, on a computing machine.

From Terminal C (FIG. 4E), the method 400 proceeds to block 438 wherethe method obtains a product identifier for a piece of software andstores it in a central hierarchical database, such as a registry. Theproduct identifier is provided by a user, which he can obtain from a keytypically affixed to the packaging of the piece of software. The methoddecodes the product identifier to identify a class in which the piece ofsoftware is categorized. See block 440. The piece of software caninclude any suitable pieces of software, such as system software,application software, or network software. Next, at decision block 442,a test is made to determine whether protection is available for theidentified class. If the answer is NO, the method 400 proceeds toanother continuation terminal (“Terminal L”) and terminates execution.If, on the other hand, the answer to the test at decision block 442 isYES, the method 400 proceeds to block 444 where the installationdynamic-link library is invoked. The installation dynamic-link libraryinstalls an activation key into the central hierarchical database, suchas the registry, based on the product identifier. See block 446. Theactivation key allows the computing machine to quickly check anddetermine whether pieces of software for inhibiting software tamperingare running on the computing machine without decoding the productidentifier, which could be time consuming.

From Terminal C1 (FIG. 4F) the installation dynamic-link libraryinstalls encrypted protection profiles into the central hierarchicaldatabase, such as the registry. Upon the start-up of the computingmachine, a log-on module of the piece of software, such as systemsoftware, is executed. See block 450. Next, at block452, the log-onmodule decodes the product identifier stored in the central hierarchicaldatabase, such as the registry, and obtains the product class in whichthe piece of software is categorized. The method 400 proceeds todecision block 454 where a test is performed to determine whetherprotection is available for the identified product class. If the answeris NO to the test at decision block 454, the method 400 continues toTerminal L where it terminates execution. If the answer, on the otherhand, to the test at decision block 454 is YES, the log-on module 308Aattempts to load the obfuscated protection dynamic-link library onto thecomputing machine. See block 456. The method continues at anothercontinuation terminal (“Terminal C2”).

From Terminal C2 (FIG. 4G), the method 400 proceeds to block 458 wherethe method calculates the checksum of the protection dynamic-linklibrary to be installed. Note that hereinafter the obfuscated protectiondynamic-link library will be known as the protection dynamic-linklibrary for brevity purposes. The method obtains a list of catalog filesincluded in the system files. See block 460. Next, at block 462, themethod takes a catalog file from a list and searches for a checksumcontained in the catalog file. Decryption and verifying of the signatureoccurs. The method 400 proceeds to decision block 464 where a test isperformed to determine whether there is a match between the twochecksums. If the answer is NO to the test at decision block 464, themethod 400 continues to another continuation terminal (“Terminal C3”).If, on the other hand, the answer to the test at decision block 464 isYES, the method 400 continues to another continuation terminal(“Terminal C4”). The processing steps discussed in connection with FIG.4G describe a process by which a software image of the obfuscatedprotection dynamic-link library is verified to determine the originalityof the software image (i.e., whether the software image was originallyshipped or distributed by a desired software manufacturer.) If tamperinghas occurred, the verification process indicates that the software imageof the obfuscated protection dynamic-link library to be loaded has beentampered with and security error measures, such as shutting down acomputing machine, may have to be taken.

From Terminal C3 (FIG. 4H), the method 400 continues to decision block466 where a test is performed to determine whether there are morecatalog files to search. If the answer to the test at decision block 466is YES, the method continues to another continuation terminal (“TerminalC5”). From Terminal C5 (FIG. 4G), the method 400 loops back to block 462where the above-described processing steps are repeated. If, on theother hand, the answer to the test at decision block 466 is NO, themethod 400 continues to block 468 where the protection dynamic-linklibrary to be installed is not the original that came with the catalogfiles, signifying that it may have been tampered with. The method 400then continues at another continuation terminal (“Terminal C7”). FromTerminal C4 (FIG. 4H), the method 400 proceeds to decision block 470,where a test is performed to determine whether there is a protectiondynamic-link library and the trusted catalog file. If the answer is NOto the test at decision block 470, the method 400 continues to TerminalC5 where it loops back to block 462 and the above-described processingsteps are repeated. One suitable implementation of the test discussed indecision block 470 is a set of trust-checking application programminginterfaces provided by Microsoft Windows. Otherwise, if the answer tothe test at decision block 470 is YES, the method continues to anothercontinuation terminal (“Terminal C6”).

From Terminal C6 (FIG. 41), the method 400 proceeds to block 472 wherethe method verifies the found catalog file and obtains state data as areturn value by invoking a set of trust-checking application programminginterfaces. The method obtains trust provider information using obtainedstate data via the set of trust-checking application programminginterfaces. See block 474. Next, at block 476, the method obtains a basesigner from a certificate chain using the obtained trust providerinformation. The method 400 proceeds to block 478 where the methodvalidates the last element of the certificate chain using the context ofthe base signer. A test is performed to determine whether the lastelement contained a proper public key. See decision block 480. If theanswer is YES to the test at decision block 480, the method 400continues to Terminal C7. If, on the other hand, the answer to the testat decision block 480 is NO, the method continues to Terminal C5 whereit loops back to block 462 and the above-described processing steps arerepeated.

From Terminal C7 (FIG. 4J), the method 400 proceeds to decision block482 where a test is performed to determine whether the protectiondynamic-link library loaded successfully. If the answer to the test atdecision block 482 is NO, the method initiates system shutdown. Seeblock 484. The method 400 proceeds to Terminal L and terminatesexecution. If, on the other hand, the answer to the test at decisionblock 482 is YES, the method 400 proceeds to block 486 where the methodcreates a first timer running in a non-terminable thread. The methodthen continues on to two paths of execution represented by acontinuation terminal (”Terminal C8“) and the exit Terminal D. Thissplitting of execution paths at FIG. 4J is to illustrate the concurrencyof several pieces of software running on the computing machine.

From Terminal C8 (FIG. 4K), the method 400 proceeds to decision block488 where a test is performed to determine whether a pre-configured timeperiod has expired. If the answer is NO, the method 400 loops back todecision block 488 where the above-described processing steps arerepeated. If the answer to the test at decision block 488 is YES, themethod 400 proceeds to block 490 where the method checks the activationkey stored in the central hierarchical database, such as the registry,to decode the product class. Another test is performed to determinewhether there is protection available for the decoded product class. Seedecision block 492. If the answer is YES to the test at decision block492, the method 400 loops back to Terminal C8 where the above-discussedprocessing steps are repeated. If, on the other hand, the answer to thetest at decision block 492 is NO, the core application programminginterface has been tampered with and the method takes security measures,such as shutting down the computing machine. See block 494. The method400 then continues to Terminal L and terminates execution.

From Terminal D (FIG. 4A), the method 400 proceeds to a set of methodsteps 406, which is defined between a continuation terminal (“TerminalE”) and an exit terminal (“Terminal F”). The set of method steps 406determines whether the computing machine belongs to a class ofsupportable machinery.

From Terminal E (FIG. 4L), the method 400 proceeds to block 496 wherethe method verifies the existence of a set of instructions on thecentral processing unit of the computing machine to obtain itsidentification. A test is performed to determine whether the set ofinstructions is available. See decision block 498. If the answer to thetest at decision block 498 is NO, the central processing unit of thecomputing machine has an architecture that does not supportself-identification. See block 499. One suitable conclusion is that thecentral processing unit can support pieces of software for inhibitingsoftware tampering. The method 400 then continues to the exit TerminalF. If, on the other hand, the answer to the test at decision block 498is YES, the log-on module communicates with the protection dynamic-linklibrary to access the encrypted protection profile relating to theexcluded central processing unit classes. See block 497. In other words,there are files installed on the computing machine that describe variousparameters with which the computing machine operates. For example,language files describe the language in which an operating systempresents information to users. As another example, hardware filesdescribe the pieces of computing machinery that the operating systemsupports. The problem is that files can easily be tampered with by ahacker or malicious software. Contained within the encrypted protectionprofile are checksums that signify the original files installed on thecomputing machine. If the original files were to be tampered with, thechecksums of the tampered files and the checksums stored in theencrypted protection profile will not match, signifying that theoriginal files have been tampered with. For example, if a hacker were tomodify the hardware files to fool the operating system into supporting anon-supportable computing machine, the checksum of the modified hardwarefiles are likely to be different than the checksum stored in theencrypted protection file, hence allowing a determination of tampering.Returning to FIG. 4A, the log-on module passes into the protectiondynamic-link library of a random salt value that is used to enhancesecurity. See block 495. The random salt value makes it difficult for ahacker to defeat or intercept a functional invocation or call. As willbe discussed hereinbelow, the random salt value is used in thecalculation of a checksum based on the random salt value and data sentby the protection dynamic-link library. That checksum is comparedagainst the checksum calculated by the protection dynamic-link libraryto determine if tampering has occurred. The method 400 then continues toanother continuation terminal (“Terminal E1”).

From Terminal E1 (FIG. 4M), the method 400 proceeds to block 493 wherethe protection dynamic-link library decrypts an encrypted protectionprofile (“profile”) using a private library key. The protectiondynamic-link library compares the profile to the system. See block 491.Next, at decision block 489, a test is performed to determine whetherthe profile has been found. Each profile has a name that preferably is anumber of bits, such as 64 bits. If the answer is NO to the test atdecision block 489, the method 400 loops back to block 493 where theabove-described processing steps are repeated. If, on the other hand,the answer to the test at decision block 489 is YES, the method 400proceeds to block 487, where the protection dynamic-link librarycomputes a checksum for the identity of the profile, its data, thecomparison result, and the salt value. The protection dynamic-linklibrary returns a result data structure, a verifier blob of the profile,and the computed checksum. See block 485. The method then continues toanother continuation terminal (“Terminal E2”).

From Terminal E2 (FIG. 4N), the method 400 proceeds to block 483 wherethe log-on module uses a private calling key to decrypt the verifierblob and obtains a verifier checksum. The log-on module validates thesignature of the checksum using a public calling key. See block 481.Next, at block 479, the log-on module computes a checksum from thedecrypted verifier checksum, the received result data structure, and thesalt value. The method 400 proceeds to block 477 where the methodprepares the checksums computed by the log-on module and the protectiondynamic-link library. A test is performed to determine whether thechecksums are a match. See decision block 475. If the answer is NO tothe test at decision block 475, the method 400 continues to Terminal Land terminates execution. Otherwise, the answer to the test at decisionblock 475 is YES, and the method 400 proceeds to another continuationterminal (“Terminal E3”).

From Terminal E3 (FIG. 40), the method 400 proceeds to block 473 wherethe method extracts a list of excluded computing machine classes fromthe profile. The method then causes the computing machine to review CPUinformation (e.g., vendor identity, type, family, model number, brandidentity, and feature set). See block 471. Next, at decision block 469,a test is performed to determine whether the vendor identity is on theexcluded list. If the answer is NO to the test at decision block 469,the method 400 continues to Terminal F. Otherwise, the answer to thetest is YES, and the method continues to another continuation terminal(“Terminal E4”).

From Terminal E4 (FIG. 4P), the method 400 continues to decision block467 where a test is performed to determine whether the type, family, andmodel number are on the excluded list. If the answer is YES to the testat decision block 467, the method 400 continues at another continuationterminal (“Terminal E7”). Otherwise, if the answer to the test atdecision block 467 is NO, the method 400 continues to another decisionblock 465 where a test is performed to determine whether the brandidentity and the feature set are on the excluded list. If the answer isYES to the test at decision block 465, the method 400 continues toTerminal E7. Otherwise, if the answer to the test at decision block 465is NO, the method 400 continues to another continuation terminal(“Terminal E5”).

From Terminal E5 (FIG. 4Q), the method 400 continues to decision block463 where a test is performed to determine whether extended instructionsto determine the CPU or the central processing unit of the computingmachine identity exists. If the answer to the test at decision block 463is NO, the method continues to Terminal F. Otherwise, if the answer tothe test at decision block 463 is YES, the method invokes the extendedinstructions to obtain the name of the CPU or the central processingunit of the computing machine. See block 461. Next, at block 459, themethod invokes the extended instructions to obtain the cache size of thecentral processing unit. The method 400 continues at anothercontinuation terminal (“Terminal E6”).

From Terminal E6 (FIG. 4R), the method 400 proceeds to decision block457 where a test is performed to determine whether the name of thecenter processing unit is on the excluded list. If the answer to thetest at decision block 457 is YES, the method continues to Terminal E7.If the answer to the test at decision block 457 is NO, another test isperformed to determine whether the cache size of the CPU is on theexcluded list. See decision block 455. If the answer is YES to the testat decision block 455, the method 400 continues to Terminal E7.Otherwise, if the answer is NO, the method 400 continues to Terminal F.

From Terminal E7 (FIG. 4S), the method issues error messages that noprotection is available on the computer machine and initiates systemshutdown. See block 455. The method 400 then continues to Terminal L andterminates execution.

From Terminal F (FIG. 4B), the method 400 proceeds to a set of methodsteps 408 defined between a continuation terminal (“Terminal G”) and anexit terminal (“Terminal H”). The set of method steps 408 verifieswhether the install files have been tampered with.

From Terminal G (FIG. 4S), the log-on module communicates with aprotection dynamic-link library to access an encrypted protectionprofile relating to critical files on the computing machine. See block453. The steps 495-475 (in the illustrated sequence) of FIGS. 4L-4N areexecuted in the context of finding an encrypted protection profilerelating to critical files on the computing machine. See block 451.Next, at block 449, the method extracts a list of critical files fromthe profile. A test is performed to determine whether the critical fileson the computing machine have been changed. See decision block 447. Ifthe answer to the test at decision block 447 is YES, the method 400continues to Terminal L and terminates execution. Otherwise, the answerto the test at decision block 400 is NO, the method continues toTerminal H. Please note that processing steps between Terminal G andTerminal H can be concurrently executed so as to continuously checkwhether critical files on a computing machine have been changed ortampered with.

From Terminal H (FIG. 4B), the method 400 proceeds to a set of methodsteps 410 defined between a continuation terminal (“Terminal I”) and anexit terminal (“Terminal J”). The set of method steps 410 determineswhether the registry has been tampered with.

From Terminal I (FIG. 4T), upon start-up, the log-on module invokes aprotection function of the protection dynamic-link library to protectthe keys and values of the registry of the system context. See block445. The protection dynamic-link library creates a thread to protectvarious keys and values of the registry of the system context. See block443. Next, at block 441, the protection dynamic-link library returns ahandle to the just created thread to the log-on module. The method 400proceeds to block 439 where the method creates a timer to check thecontinuance of the thread protecting the keys and values of the registryat the system context. Next, the method 400 proceeds to threeindependent paths of execution, which are represented by a continuationterminal (“Terminal I2”), decision block 437, and another continuationterminal (“Terminal I4”). These independent paths of execution indicateconcurrency. A test is performed at decision block 437 to determinewhether a pre-configured time period has expired. If the answer is NO tothe test at decision block 437, the method 400 proceeds to anothercontinuation terminal (“Terminal I3”) and loops back to decision block437 where the above-described processing step is repeated. Otherwise, ifthe answer to the test at decision block 437 is YES, the method 400continues to another continuation terminal (“Terminal I1”).

From Terminal I1 (FIG. 4U), the method 400 proceeds to decision block435 where a test is performed to determine whether the thread hasterminated. If the answer to the test at decision block 435 is NO, themethod continues to another decision block 433 where another test isperformed to determine whether the thread has been suspended. If theanswer to the test at decision block 433 is NO, the method 400 continuesto Terminal I3 and loops back to decision block 437 where theabove-described processing steps are repeated. If the answers to thetests at decision blocks 435, 433, are YES, the method 400 proceeds toblock 431 where the system is believed to have been tampered with andthe method initiates system shutdown. The method 400 then continues toTerminal L and terminates execution.

From Terminal I2 (FIG. 4V) the method 400 proceeds to block 429 wherethe thread communicates with a protection dynamic-link library to accessa list of system registry keys and values to be protected. The steps495-475 (in the illustrated sequence) of FIGS. 4L-4N are executed. Seeblock 427. Next, at block 425, the thread subscribes for notification ofany changes to protect registry keys. A test is performed at decisionblock 423 to determine whether there is a notification of a change. Ifthe answer to the test at decision block 423 is NO, the method loopsback to decision block 423 where the above-described processing step isrepeated. Otherwise, the answer to the test at decision block 423 isYES, and the method fixes the tampered key and its value. See block 421.The method 400 then loops back to decision block 423 where theabove-described processing steps are repeated.

From Terminal I4 (FIG. 4W), the method 400 proceeds to block 419 whereupon log-on by a user, the log-on module invokes a protection functionof the protection dynamic-link library to protect the keys and values ofthe registry of the user context. The protection dynamic-link librarycreates a thread to protect various keys and values of the registry atthe user context. See block 417. Next, at block 415, the protectiondynamic-link library returns a handle to the just created thread to thelog-on module. The method 400 proceeds to block 413 where the methodcreates a timer to check the continuance of the thread protecting thekeys and values of the registry of the user context. The steps 437-421of FIGS. 4T-4U (in the illustrated sequence) are executed for the usercontext. The method 400 then continues to Terminal J.

From Terminal J (FIG. 4B), the method 400 proceeds to a set of methodsteps 412 defined between a continuation terminal (“Terminal K”) and anexit terminal (“Terminal L”). The set of methods 412 determines whetherservices have been tampered with or whether unauthorized services areexecuting. From Terminal K (FIG. 4X), upon start-up, the log-on moduleinvokes a protection function of the protection dynamic-link library toinhibit the execution of unauthorized services. The protectiondynamic-link library creates a thread to inhibit the execution ofunauthorized services. See block 407. Next, at block 405, the protectiondynamic-link library returns a handle to the just created thread to thelog-on module. The method 400 then continues to block 403 where themethod creates a timer to check the continuance of the thread inhibitingthe execution of unauthorized services. The steps 437-431 of FIGS. 4T-4Uare executed. See block 401. Next, at block 401A, the threadcommunicates with the protection dynamic-link library to access anencrypted protection profile relating to a list of unauthorizedservices. The method 400 then continues to another continuation terminal(“Terminal K1”).

From Terminal K1 (FIG. 4Y), the steps 495-475 of FIGS. 4L-4N areexecuted. A test is performed at decision block 401C to determinewhether an unauthorized service is running. If the answer to the test atdecision block 401C is NO, the method 400 continues to anothercontinuation terminal (“Terminal K2”). Otherwise, if the answer is YESto the test at decision block 401C, the method 400 proceeds to block401D where the method stops all services that are dependent on theunauthorized service. The unauthorized service is then deleted from theexecution. See block 401E.

From Terminal K2 (FIG. 4J), the method 400 proceeds to decision block401F where a test is performed to determine whether there are moreunauthorized services. If the answer to the test at decision block 401Fis YES, the method continues to another continuation terminal (“TerminalK3”). From Terminal K3 (FIG. 4Y), the method 400 loops back to decisionblock 401C where the above-described processing steps are repeated.Otherwise, if the answer to the test at decision block 401F is NO, themethod 400 proceeds to block 401G where the thread sleeps for apre-configured period of time. The method 400 then loops back todecision block 401C via Terminal K3 where the above-described processingsteps are repeated. The steps described in connection with the set ofmethod steps 412 defined between the Terminals K and L are preferablyconcurrently executed to other sets of method steps.

While the preferred embodiment of the invention has been illustrated anddescribed, it will be appreciated that various changes can be madetherein without departing from the spirit and scope of the invention.

1. A method for inhibiting service tampering, comprising: upon start-upof a computing machine, invoking by a log-on module a protectionfunction of an obfuscated dynamic-link library to create a thread thatinhibits the execution of unauthorized services; and communicating withan obfuscated protection dynamic-link library to access an encryptedprotection profile relating to a list of unauthorized services.
 2. Themethod of claim 1, wherein the act of invoking includes returning ahandle to the thread to the log-on module by the obfuscated dynamic-linklibrary.
 3. The method of claim 2, further comprising creating a timerto check the continuance of the thread inhibiting the execution ofunauthorized services.
 4. The method of claim 3, further comprisinginitiating system shutdown if a pre-configured time period has expiredand the thread has been terminated.
 5. The method of claim 4, furthercomprising initiating system shutdown if a pre-configured time periodhas expired and the thread has been suspended.
 6. The method of claim 5,further comprising finding by the obfuscated dynamic-link library aprofile containing the list of unauthorized services and computing achecksum from the identity of the profile, its data, and a salt valuepassed into the obfuscated protection dynamic-link library by the log-onmodule.
 7. The method of claim 6, further comprising returning by theobfuscated protection dynamic-link library a result data structure, averifier blob of the profile, and the computed checksum to the log-onmodule.
 8. The method of claim 7, further comprising taking securityerror measure if there is not a match between a checksum computed by thelog-on module and the checksum computed by the protection dynamic-linklibrary, the checksum computed by the log-on module depending on adecrypted verifier checksum, the received result data structure, and thesalt value.
 9. The method of claim 8, further comprising stopping allservices that are dependent on an unauthorized service if theunauthorized service is running and causing the unauthorized service tobe deleted.
 10. The method of claim 9, further comprising causing thethread to sleep for the pre-configured period of time.
 11. Acomputer-readable medium having computer-executable instructions storedthereon for implementing a method of inhibiting service tampering,comprising: upon start-up of a computing machine, invoking by a log-onmodule a protection function of an obfuscated dynamic-link library tocreate a thread that inhibits the execution of unauthorized services;and communicating with an obfuscated protection dynamic-link library toaccess an encrypted protection profile relating to a list ofunauthorized services.
 12. The computer-readable medium of claim 11,wherein the act of invoking includes returning a handle to the thread tothe log-on module by the obfuscated dynamic-link library.
 13. Thecomputer-readable medium of claim 12, further comprising creating atimer to check the continuance of the thread inhibiting the execution ofunauthorized services.
 14. The computer-readable of claim 13, furthercomprising initiating system shutdown if a pre-configured time periodhas expired and the thread has been terminated.
 15. Thecomputer-readable medium of claim 14, further comprising initiatingsystem shutdown if a pre-configured time period has expired and thethread has been suspended.
 16. The computer-readable medium of claim 15,further comprising finding by the obfuscated dynamic-link library aprofile containing the list of unauthorized services and computing achecksum from the identity of the profile, its data, and a salt valuepassed into the obfuscated protection dynamic-link library by the log-onmodule.
 17. The computer-readable of claim 16, further comprisingreturning by the obfuscated protection dynamic-link library a resultdata structure, a verifier blob of the profile, and the computedchecksum to the log-on module.
 18. The computer-readable medium of claim17, further comprising taking security error measure if there is not amatch between a checksum computed by the log-on module and the checksumcomputed by the protection dynamic-link library, the checkum computed bythe log-on module depending on a decrypted verifier checksum, thereceived result data structure, and the salt value.
 19. Thecomputer-readable medium of claim 18, further comprising stopping allservices that are dependent on an unauthorized service if theunauthorized service is running and causing the unauthorized service tobe deleted.
 20. The computer-readable medium of claim 19, furthercomprising causing the thread to sleep for the pre-configured period oftime.